always revoke the certificate, even if it is already expired

diff --git a/cam/ca.py b/cam/ca.py
index f8a202f..0bf7fcf 100644 (file)
--- a/cam/ca.py
+++ b/cam/ca.py
@@ -160,7 +160,10 @@ class CA(object):
 
         expiry = cert.get_expiration_date()
         if expiry and expiry > time.time():
-            log.warn('certificate is still valid, revoking previous version')
+            log.warn('certificate is still valid')
+
+        if cert.exists():
+            log.warn('revoking previous version')
             self.revoke(cert)
 
         log.info('generating new certificate %s', cert.name)

diff --git a/cam/cert.py b/cam/cert.py
index 9254fb0..9aab798 100644 (file)
--- a/cam/cert.py
+++ b/cam/cert.py
@@ -32,8 +32,11 @@ class Cert(object):
         self.private_key_file = os.path.join(ca.basedir, 'private',
                                              '%s.key' % name)
 
+    def exists(self):
+        return os.path.exists(self.public_key_file)
+
     def get_fingerprint(self, digest='sha1'):
-        if os.path.exists(self.public_key_file):
+        if self.exists():
             output = openssl_wrap.run('x509', '-in', self.public_key_file,
                                       '-noout', '-fingerprint', '-%s' % digest)
             m = re.search(r'=(.*)$', output)
@@ -42,7 +45,7 @@ class Cert(object):
         return None
 
     def get_expiration_date(self):
-        if os.path.exists(self.public_key_file):
+        if self.exists():
             output = openssl_wrap.run('x509', '-in', self.public_key_file,
                                       '-noout', '-dates')
             m = re.search(r'notAfter=(.*)', output)